Table of Contents

The JWT auth provider

To use this project, add the following dependency to the dependencies section of your module.ceylon:

shared import io.vertx.ceylon.auth.jwt "3.3.2";

JSON Web Token is a simple way to send information in the clear (usually in a URL) whose contents can be
verified to
be trusted. JWT are well suited for scenarios as:

In a Single Sign-On scenario where you want a separate authentication server that can then send user
information in a trusted way.

Stateless API servers, very well suited for simple page applications.

etc…​

Before deciding on using JWT, it’s important to note that JWT does not encrypt the payload, it only signs it. You
should not send any secret information using JWT, rather you should send information that is not secret but needs to
be verified. For instance, sending a signed user id to indicate the user that should be logged in would work great!
Sending a user’s password would be very, very bad.

Its main advantages are:

It allows you to verify token authenticity.

It has a json body to contain any variable amount of data you want.

It’s completely stateless.

To create an instance of the provider you use JWTAuth. You specify the configuration
in a JSON object.

A typical flow of JWT usage is that in your application you have one end point that issues tokens, this end point
should be running in SSL mode, there after you verify the request user, say by its username and password you would
do:

When no keystore is provided the implementation falls back in unsecure mode and signatures will not be verified, this
is useful for the cases where the payload if signed and or encrypted by external means.

Generate a new Keystore file

The only required tool to generate a keystore file is keytool, you can now specify which algorithms you need by
running: